Symposium Recap: We Need the Cloud Act To Save Us & What Bill Dodge Got Right

Arguments in the Microsoft Ireland case are now less than a week away. Despite the desires of many (including me) that Congress move quickly to pass the CLOUD Act – and thereby moot the case – that is not likely to happen between now and February 27th. So for now, the case goes forward . . . with widely divergent views of who should win and why, as exemplified by the range of perspectives offered by the seven experts that participated in Just Security’s excellent symposium on the case.

As many of the excellent contributors have already pointed out, the key question in this case is one of statutory interpretation. Both parties agree that the relevant statutory provision – section 2703 of the Stored Communications Act — does not have extraterritorial application. They then turn to the key, unresolved questions: Is the government’s use of its warrant authority a territorial or extraterritorial exercise of its authority under section 2703 of the SCA? I share the perspective of Pamela Bookman, who writes that this is a highly “manipulable” question that “does not even purport to take into account all, or even some, of the values competing for attention in this case in any transparent way.”

Or as Bill Dodge puts it, “[d]etermining the ‘focus’ of a statute,” which is what the Court must do in this case, “is more an art than a science.” And art is, after all, in the eye of the beholder.

Dodge, nonetheless, offers a court a way to interpret the tapestry. It is, in my view, a particularly compelling one. As he puts it, the goal is a “sensible result.” He writes – and I agree – that a world in which law enforcement’s authority to compel the production of emails, pursuant to a warrant based on a judicial finding of probable cause, turns on where the data happens to be stored is “not a sensible result.” It is a blueprint for “criminal evasion” (Dodge’s point). And it makes little practical or normative sense (my addition). The speed by which data can be moved about the globe, the fact of third-party control, and the possibility of data being held in locations that have absolutely no connection to either the crime or target being investigated makes location of the 0s ad 1s that comprise our emails a particularly poor basis for delimiting jurisdiction.

Conversely, there is a real risk that a straight-up U.S. government win will – rightly or wrongly – be perceived around the world as U.S. law enforcement claiming the right to access data anywhere, without regard to the countervailing sovereign interests. This creates a precedent that foreign nations are likely to mimic. And the fact that some foreign governments already assert this kind of extraterritorial authority, as the U.S. government argues, doesn’t change this reality that more are likely to do so as well. Like it or not, this is high-profile, widely-watched case. U.S. policies and practices almost inevitably become a blueprint for others.

But again, Dodge provides an answer. He points to the promise of international comity as providing a way to deal with competing sovereign interests—something that I have argued in favor of as well. (Andrew Woods makes a similar point as well.) As Dodge notes, it is a doctrine that traditionally arises at the contempt stage – giving service providers with a possible excuse for their failure to comply with a U.S. disclosure order, on the grounds that the order conflicts with foreign law. Pursuant to this common law doctrine, providers could and should raise comity concerns if in fact the United States seeks, pursuant to its warrant authority, data of a foreigner located outside the United States, and the disclosure order conflicts with a foreign law.

And courts should take seriously those foreign government equities. Courts should push the U.S. government, whenever possible, to avoid such conflicts and work with the foreign government to access the data (i.e., through the mutual legal assistance process).

This is something that the Supreme Court could and should demand. After all, it’s not just efforts to access data that will be mimicked. Efforts to take seriously the legitimate foreign interests in controlling access to their own citizens and residents’ data are also likely to be mimicked. They will ultimately inure to the benefit of U.S. citizens and residents. It will also bolster U.S. credibility when it complains that foreign governments aren’t sufficiently respecting the U.S. interest in setting rules governing access to its own citizens and residents data.

The pending CLOUD Act recognizes that reality. It sets out a statutory mechanism for providers to raise comity claims, albeit in limited situations. But it also explicitly notes, via a savings clause, the possibility of common law comity claims with respect to instances of compulsory process issues under section 2703.

In an ideal world, the Act becomes law well before the Supreme Court rules. (Zachary Clopton suggests, as an alternative, an amendment to the Federal Rules of Criminal Procedure. This stems from a belief – also shared by James Grimmelmann that the answer to this case lies in the venue provisions of Federal Rule of Criminal Procedure 41(b). I’m not convinced that this is correct, for reasons I’ve laid out in a separate, but related debate with Orin Kerr. I’m also not convinced that the rule amendment process is as efficient as he suggests, and am wary about rulemaking as a means of resolving such a key, substantive dispute.)

In a less ideal world, the Supreme Court rules in favor of the government, and directs to the lower courts to engage in a robust comity analysis in cases that involve a foreign target located outside the United States and conflict of laws.

And in the least ideal world, Microsoft wins – and we are launched into a world in which the location of data controls access, U.S. law enforcement is unable to access data based simply on where the 0s and 1s happen to be held, and governments are incentivized to pass mandatory data localization laws as a means of controlling access.